You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2018/03/27 06:33:33 UTC

ranger git commit: RANGER-2038 : Handle validations for Auditor role users for Grant/revoke actions as well

Repository: ranger
Updated Branches:
  refs/heads/master ab0b91fd6 -> ec754db0f


RANGER-2038 : Handle validations for Auditor role users for Grant/revoke actions as well

Signed-off-by: pradeep <pr...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/ec754db0
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/ec754db0
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/ec754db0

Branch: refs/heads/master
Commit: ec754db0fe7ac788a9c9a439c5aa2ae66f32e021
Parents: ab0b91f
Author: fatimaawez <fa...@gmail.com>
Authored: Mon Mar 26 18:50:27 2018 +0530
Committer: pradeep <pr...@apache.org>
Committed: Tue Mar 27 11:29:16 2018 +0530

----------------------------------------------------------------------
 .../org/apache/ranger/rest/ServiceREST.java     | 37 ++++++++++++++++----
 1 file changed, 30 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/ec754db0/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 1bff815..3707f4e 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -72,6 +72,7 @@ import org.apache.ranger.common.JSONUtil;
 import org.apache.ranger.common.MessageEnums;
 import org.apache.ranger.common.PropertiesUtil;
 import org.apache.ranger.common.RESTErrorUtil;
+import org.apache.ranger.common.RangerConstants;
 import org.apache.ranger.common.RangerSearchUtil;
 import org.apache.ranger.common.RangerValidatorFactory;
 import org.apache.ranger.common.ServiceUtil;
@@ -115,6 +116,7 @@ import org.apache.ranger.service.RangerPolicyLabelsService;
 import org.apache.ranger.service.RangerPolicyService;
 import org.apache.ranger.service.RangerServiceDefService;
 import org.apache.ranger.service.RangerServiceService;
+import org.apache.ranger.service.XUserService;
 import org.apache.ranger.view.RangerExportPolicyList;
 import org.apache.ranger.view.RangerPluginInfoList;
 import org.apache.ranger.view.RangerPolicyList;
@@ -123,6 +125,7 @@ import org.apache.ranger.view.RangerServiceList;
 import org.apache.ranger.view.VXPolicyLabelList;
 import org.apache.ranger.view.VXResponse;
 import org.apache.ranger.view.VXString;
+import org.apache.ranger.view.VXUser;
 import org.codehaus.jackson.map.ObjectMapper;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Scope;
@@ -162,6 +165,8 @@ public class ServiceREST {
 	@Autowired
 	ServiceMgr serviceMgr;
 
+        @Autowired
+        XUserService xUserService;
 	@Autowired
 	AssetMgr assetMgr;
 
@@ -1068,9 +1073,18 @@ public class ServiceREST {
 					String               userName   = grantRequest.getGrantor();
 					Set<String>          userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
 					RangerAccessResource resource   = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
-	
+                                        VXUser vxUser = xUserService.getXUserByUserName(userName);
+                                        if(vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)){
+                                                 VXResponse vXResponse = new VXResponse();
+                         vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+                         vXResponse.setMsgDesc("Operation"
+                                         + " denied. LoggedInUser="
+                                         +  vxUser.getId()
+                                         + " ,isn't permitted to perform the action.");
+                         throw restErrorUtil.generateRESTException(vXResponse);
+                                        }
 					boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
-                                        bizUtil.blockAuditorRoleUser();
+
 					if(!isAdmin) {
 						throw restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary permission to grant access");
 					}
@@ -1153,6 +1167,7 @@ public class ServiceREST {
 		RangerPerfTracer perf = null;
 		boolean isAllowed = false;
 		boolean isKeyAdmin = bizUtil.isKeyAdmin();
+                bizUtil.blockAuditorRoleUser();
 		if(grantRequest!=null){
 			if (serviceUtil.isValidService(serviceName, request)) {
 				try {
@@ -1185,7 +1200,6 @@ public class ServiceREST {
 							isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
 						}
 					}
-                                        bizUtil.blockAuditorRoleUser();
 					if (isAllowed) {
 						RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
 
@@ -1280,9 +1294,18 @@ public class ServiceREST {
 					String               userName   = revokeRequest.getGrantor();
 					Set<String>          userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
 					RangerAccessResource resource   = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
-
+                                        VXUser vxUser = xUserService.getXUserByUserName(userName);
+                                        if(vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)){
+                                                 VXResponse vXResponse = new VXResponse();
+                         vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+                         vXResponse.setMsgDesc("Operation"
+                                         + " denied. LoggedInUser="
+                                         +  vxUser.getId()
+                                         + " ,isn't permitted to perform the action.");
+                         throw restErrorUtil.generateRESTException(vXResponse);
+                                        }
 					boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
-                                        bizUtil.blockAuditorRoleUser();
+
 					if(!isAdmin) {
 						throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access");
 					}
@@ -1344,7 +1367,7 @@ public class ServiceREST {
 					boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
 					boolean isAllowed = false;
 					boolean isKeyAdmin = bizUtil.isKeyAdmin();
-
+                                        bizUtil.blockAuditorRoleUser();
 					XXService xService = daoManager.getXXService().findByName(serviceName);
 					XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
 					RangerService rangerService = svcStore.getServiceByName(serviceName);
@@ -1363,7 +1386,7 @@ public class ServiceREST {
 							isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
 						}
 					}
-                                        bizUtil.blockAuditorRoleUser();
+
 					if (isAllowed) {
 						RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);